2005-04-29 17:45:15 +00:00
|
|
|
#DESC Portmap - Maintain RPC program number map
|
|
|
|
#
|
|
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
|
|
# Russell Coker <russell@coker.com.au>
|
|
|
|
# X-Debian-Packages: portmap
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Rules for the portmap_t domain.
|
|
|
|
#
|
|
|
|
daemon_domain(portmap, `, nscd_client_domain')
|
|
|
|
|
|
|
|
can_network(portmap_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
allow portmap_t port_type:tcp_socket name_connect;
|
2005-04-29 17:45:15 +00:00
|
|
|
can_ypbind(portmap_t)
|
|
|
|
allow portmap_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
|
|
|
tmp_domain(portmap)
|
|
|
|
|
|
|
|
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
|
|
|
|
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
|
|
|
|
|
|
|
|
# portmap binds to arbitary ports
|
|
|
|
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
|
|
|
|
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
|
|
|
|
|
|
|
|
allow portmap_t etc_t:file { getattr read };
|
|
|
|
|
|
|
|
# Send to ypbind, initrc, rpc.statd, xinetd.
|
|
|
|
ifdef(`ypbind.te',
|
|
|
|
`can_udp_send(portmap_t, ypbind_t)')
|
|
|
|
can_udp_send(portmap_t, { initrc_t init_t })
|
|
|
|
can_udp_send(init_t, portmap_t)
|
|
|
|
ifdef(`rpcd.te',
|
|
|
|
`can_udp_send(portmap_t, rpcd_t)')
|
|
|
|
ifdef(`inetd.te',
|
|
|
|
`can_udp_send(portmap_t, inetd_t)')
|
|
|
|
ifdef(`lpd.te',
|
|
|
|
`can_udp_send(portmap_t, lpd_t)')
|
|
|
|
ifdef(`tcpd.te', `
|
|
|
|
can_udp_send(tcpd_t, portmap_t)
|
|
|
|
')
|
|
|
|
can_udp_send(portmap_t, kernel_t)
|
|
|
|
can_udp_send(kernel_t, portmap_t)
|
|
|
|
can_udp_send(sysadm_t, portmap_t)
|
|
|
|
can_udp_send(portmap_t, sysadm_t)
|
|
|
|
|
|
|
|
# Use capabilities
|
|
|
|
allow portmap_t self:capability { net_bind_service setuid setgid };
|
|
|
|
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
|
|
|
|
application_domain(portmap_helper)
|
|
|
|
role system_r types portmap_helper_t;
|
|
|
|
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
|
|
|
|
dontaudit portmap_helper_t self:capability { net_admin };
|
|
|
|
allow portmap_helper_t self:capability { net_bind_service };
|
|
|
|
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
|
2005-09-13 13:06:07 +00:00
|
|
|
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
|
2005-04-29 17:45:15 +00:00
|
|
|
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
can_network(portmap_helper_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
allow portmap_helper_t port_type:tcp_socket name_connect;
|
2005-04-29 17:45:15 +00:00
|
|
|
can_ypbind(portmap_helper_t)
|
|
|
|
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
|
|
|
|
allow portmap_helper_t etc_t:file { getattr read };
|
2005-09-13 13:06:07 +00:00
|
|
|
dontaudit portmap_helper_t { userdomain privfd }:fd use;
|
2005-04-29 17:45:15 +00:00
|
|
|
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
|
|
|
|
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|